As part of modern day life we all have multiple online identities we manage on a daily basis. This will often mean that the same usernames, passwords and email addresses will be used among different websites and services.
Reusing a username and email address is perfectly fine, but reusing passwords is a problem. Imagine a scenario where a user signs up to a website during which they secure the user's password without encryption - not as uncommon as one would think. This user also has the same username or email as their twitter account. If a hacker or scrupulous employee on the website would want to, they could steal the user's credentials and try to reuse them on twitter.
They would get access easily.
The key solution to this problem is to use different passwords for all of your websites. I would also recommend using different secret question/answer combinations. Using a random secret answer/question doesn't matter if you have a recovery email in place, which reduces the risk of someone resetting your account.
The next issue is how do we remember all of our passwords for every site that we use? Simple! Use a password management program that will allow the user to easily create an entry for all their websites and services that they use daily (pin codes for example). They can use randomly generated passwords when they need to create an account, and to access this master file use a single 'master password' which will be a STRONG and UNIQUE password which only they know.
Password management solutions are plentiful and becoming more popular all the time for the reasoning stated previously. My personal favourite solution is Keepass (http://keepass.info/) which is a well-developed and secured password management solution by Dominik Reichl. Keepass comes in two different versions:
- Classic (version 1.x)
- Professional (version 2.x)
In nearly all situations you would want to use Professional. The actual differences can be found at http://keepass.info/compare.html but in short 1.x is for legacy environments.
Keepass also comes as an installer file and a portable edition.
When you download Keepass you can either open up an existing Keepass master key file or create a new one. The options for securing the file are:
- Master password - Use a password to secure the file. This means that the password should be secure as this is the weak link the chain.
- Key file - Create a key file or use an existing file (any file) to act as the key to opening. The problem is that if you lose the file you won't be able to get back in.
- Windows user account - Not ideal to use between devices. Also relying the account not being deleted or modified by another user.
In the above example I am creating a master password file based on just a strong master password.
You can mix and match but you are creating more points of failure this way. If you decide to create a password and use a key file, but you lose your key file, you will be locked out!
Next comes the setting up of the master password file in terms of its name, description, security, and another other features.
Options exist to make it harder to guess the passwords using dictionary attacks. AES (256 bit key) is the default encryption cipher.
Creating an entry in the group is self-explanatory. A useful tool is the generate password button inside the add entry dialog box.
Customising the password to the required length and complexity is possible here.
Editing the auto typing for this entry is possible for different scenarios. Autotype will allow you to quickly enter your credentials in different websites and programs through hot keys.
Using triggers (under Tools -> Triggers) allows the user to setup events, such as when saving the database, copy a new save of the database with the current time for versioning of the master key file.
Using Keepass with multiple operating systems is available. By default Keepass only support Windows but there are several open source ports available from trusted third parties. On the iPhone the user can download MiniKeePass and KeepassX exists for OSX. Combining Keepass with cloud storage like Dropbox/Google Drive means that you can work from any device and share the most recent version with your other devices.
I would highly recommend looking into all the features that KeePass provides. Hopefully this short guide gives you enough information to get started. Remember it's worth spending the time securing your online presence. If not just for the practical side of being safe but also for peace of mind knowing you are covered against leaks/attacks.